Privacy activists get second shot at Facebook PRISM investigation in Ireland

The Irish High Court has granted the activist group Europe v Facebook a judicial review of an earlier decision by the country’s data protection commissioner, who refused to launch an investigation into Facebook’s alleged transfer of customer data to the NSA.

Europe v Facebook (EvF) is, as the name suggests, a thorn in the social network company’s side. Founded a couple of years ago by a group of Austrian law students, the group generally targets Facebook in Ireland, where all the company’s activities outside North America are headquartered for tax purposes. EvF has seen real results, too, having forced Facebook to alter its policies around photo-tagging in Europe, for example.

PRISM vs Safe Harbor

In June, Edward Snowden’s PRISM revelations showed that the NSA was at least requisitioning – and possibly just plain tapping into – large amounts of customer data from big U.S. tech firms including Facebook, Microsoft, Apple and Google. Viewing this as a breach of European data protection law, and specifically of the “Safe Harbor” agreement that governs the transfer of data from Europe to U.S. web providers, EvF complained to data protection officials in Ireland (regarding Facebook and Apple), Luxembourg (Microsoft/Skype) and Germany (Yahoo).

The Safe Harbor agreement provides a way around an aspect of EU privacy law which states that citizens’ personal data cannot be transferred to a country that does not have similarly strict data protection legislation. The U.S. does not have such laws, so companies there can self-certify as Safe Harbor-compliant, stating that even if their country’s laws aren’t up to scratch, they abide by EU-strength privacy principles.

EvF’s complaints appear to have gained traction in Luxembourg and Germany, but the Irish data protection commissioner (DPC) turned down EvF’s investigation request, with the argument that there was no evidence of unlawful data transfers, and that being registered for the Safe Harbor scheme means Facebook had “met their data protection obligations.”

In case you’re wondering why EvF isn’t going after Apple in Ireland anymore, by the way, Schrems said this was a tactical decision based on the fact that any decision relating to Facebook in this case would necessarily apply to other U.S. firms in the same boat. “We kind of dropped Apple and left it out to not make it even more complicated,” he said.